| permalink | /labs/lab-03 |
|---|---|
| title | Lab 03 - Security Scanning with Copilot Agents |
| description | Run the security-reviewer, iac-security, and supply-chain-security agents to find OWASP Top 10 vulnerabilities, infrastructure misconfigurations, and dependency risks in the sample app. |
| Duration | 40 minutes |
| Level | Intermediate |
| Prerequisites | Lab 00, Lab 01, Lab 02 |
By the end of this lab, you will be able to:
- Run the security-reviewer-agent to find OWASP Top 10 vulnerabilities in source code
- Run the iac-security-agent to find infrastructure misconfigurations in Bicep templates
- Run the supply-chain-security-agent to find dependency risks in package manifests
- Interpret security findings with CWE IDs and severity levels
In this exercise you use the Security Reviewer Agent to scan the sample app source code for common vulnerabilities.
-
Open the Copilot Chat panel (
Ctrl+Shift+I). -
Type the following prompt:
@security-reviewer-agent Scan sample-app/src/ for OWASP Top 10 vulnerabilities. Report findings with CWE IDs and severity. -
Wait for the agent to complete its analysis. Review the output and look for these categories of findings:
Finding CWE File SQL injection via string concatenation CWE-89 sample-app/src/lib/db.tsCross-site scripting (XSS) via dangerouslySetInnerHTMLCWE-79 sample-app/src/components/ProductCard.tsxHardcoded secrets (JWT secret, API key) CWE-798 sample-app/src/lib/auth.tsWeak cryptographic hashing (MD5) CWE-328 sample-app/src/lib/auth.tsPredictable token generation ( Math.random())CWE-330 sample-app/src/lib/auth.ts -
Note the severity level assigned to each finding. Critical and High findings represent immediate risks that should be addressed before deployment.
Next, scan the infrastructure-as-code template for security misconfigurations.
-
In Copilot Chat, type:
@iac-security-agent Scan sample-app/infra/main.bicep for security misconfigurations -
Review the findings. The agent should identify issues such as:
- Public blob access enabled on the storage account
- TLS 1.0 permitted (minimum TLS version should be 1.2)
- HTTP traffic allowed (HTTPS should be enforced)
- Overly permissive firewall rules
- Plaintext SQL administrator password passed as a parameter
-
For each finding, note the line number in
main.bicepand the recommended remediation.
Now analyze the project dependencies for known vulnerabilities and license risks.
-
In Copilot Chat, type:
@supply-chain-security-agent Analyze sample-app/package.json for dependency vulnerabilities and license risks -
Review the findings. Common issues include:
- Dependencies with known CVEs
- Missing lockfile integrity checks
- Outdated packages with available security patches
- License compatibility concerns
-
Note which dependencies the agent flags and the recommended upgrade paths.
In Lab 01 you manually reviewed the sample app and identified intentional vulnerabilities. Now compare those manual findings against the agent results.
-
Open your notes from Lab 01 (or revisit
sample-app/src/andsample-app/infra/to refresh your memory). -
Create a comparison table:
Issue Found Manually (Lab 01) Found by Agent (Lab 03) SQL injection in db.tsYes / No Yes / No XSS in ProductCard.tsxYes / No Yes / No Hardcoded secrets in auth.tsYes / No Yes / No Weak crypto in auth.tsYes / No Yes / No TLS misconfiguration in main.bicepYes / No Yes / No -
Consider these questions:
- Which issues did the agents find that you missed during manual review?
- Did you spot anything in Lab 01 that the agents did not flag?
- How does automated agent scanning complement manual code review?
Before proceeding, verify:
- The security-reviewer-agent found vulnerabilities in the source code with CWE IDs
- The iac-security-agent found misconfigurations in the Bicep template
- The supply-chain-security-agent analyzed dependencies for risks
- You identified at least 5 total vulnerabilities with CWE IDs across all scans
- You compared agent findings against your manual review from Lab 01
Proceed to Lab 04 — Accessibility Scanning with Copilot Agents.